Dark Reading Radio: The Real Reason Security Jobs Remain Vacant

Join us Wednesday, May 28, at 1:00 p.m. Eastern, to learn why good security staff really are not hard to find, if you know what to look for.

Woe is you. You're desperately looking for someone to fill that vacant security position -- to protect your company and to soothe the other hellishly overworked security staff -- but you cannot find anyone qualified for the position.

You may be feeling bad for yourself, but here's the thing: It's all your fault.

Want to know why it's your fault and how to fix it? Then join us tomorrow -- Wednesday, May 28 -- at 1:00 p.m. Eastern Time for the next episode of Dark Reading Radio: "The Real Reason You Can't Fill Vacant Security Jobs."

My guests will be Julie Peeler, head of the ISC(2) foundation, and Mark Aiello, president of Boston-based cyber security staffing firm Cyber360 Solutions. In this episode we will discuss some of the findings of the security section of the InformationWeek IT Salary Survey and explain what they mean to you. Such as:

Security professionals earn more than the average IT worker. The median base salary of IT staff overall is $88,000 annually, compared with $98,000 for security staff. The base salaries of managers are $112,000 and $125,000, respectively. Maybe you are having trouble finding or keeping security staff because you're not paying them enough.

None of the security managers who responded to the survey and only 3 percent of the security staff respondents are age 25 or under. Seventy-eight percent of staff and 87 percent of managers are ages 36 and over. The median number of years that the survey respondents (security staff and management alike) have spent working in the IT profession (security or otherwise) is 18. If you think that you're going to find security professionals in their early 20s who have CISSPs and degrees from prestigious four-year colleges, who will work for $50,000 a year, you are sorely mistaken. Young talent is out there -- maybe you just aren't looking in the right places.

Two-thirds of both staff and managers say they are at least satisfied with their jobs, if not “very satisfied.” And yet 45 percent of staff and 44 percent of managers are looking for new jobs to some degree. Security staff feel so secure in their jobs that they feel confident asking for more money and benefits. If your security pros keep leaving for better jobs, maybe you aren't trying hard enough to retain them.

This will be an essential conversation for anyone who hires security staff and a valuable discussion for everyone in security who wants a better idea of what they're really worth (and how to make sure they get every penny of it).

So register now and join us Wednesday at 1:00 p.m. Eastern Time. Have questions for the guests? Share them in the comments section below or bring them along to the show Wednesday -- we'll be taking questions from the live audience and the guests will join the audience in a live text chat following the broadcast.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

The evaluation demonstrates how Burke company-has her father's organization Journey bicycles that outsourcing over 99PERCENT of the production to Taiwan and China wherever they spend employees less than MONEYTHREE each hour.

Condition Consultant Brett Hulsey MNS acts about the Assemblage Work, Power, and Tourisms Committees, offers university levels in Politics Economy and Organic Technology, was a Dane County Boss regarding fourteen decades, has an energy and ecological consulting company, and assisted develop two sophisticated Iowa bioenergy crops.

What I have experienced is that the individuals who have the large laundry list of certifications generally view certs as the finish line. Some of the most talented security professionals I know do not have a single cert. The difference is in passion for security of the quest for money.

Wanted to add to the discussion. I have seen my share of over certified security professionals that do not have the necessary hands on experience to support their wealth of certifications. This can be a trap for an organization who 1) do not understand what the problem is they are trying to address in the vacancy, 2) large quantities of certifications give the impression of "knowledge", often over riding candidates who have extensive hands on practical experience in the field. Certifications do not mean that the individual can fill the role effectively, or bring the necessary wisdom of cause and effect analysis (especially in IR events).

As a rule of thumb I look for three years of direct hands on experience PER security certification. If they have a CEH then I want to see three years of CEH hands on experience. If its a management role then I want to see five years of direct management experience to support that CISM certification. Certifications should be a capstone achievement that *supports* a security professionals accomplishments within the cyber security space. It must never be a replacement for.

I personally think there is a certification mill out there that is making a lot of money for educational firms, but producing very little actual hands on experienced candidates to pull from. Great for the education business, not so good for those of us on the front line.

I'd be interested to know how many companies are short on security staff not due to salary but due to a moderate to high fear that hiring talented security professionals opens them up to a potential breach. Whether the fear is founded or not, I've seen it at work (my perception, not putting words in mouths), and good assets who were rough around the edges were passed over for cleaner but less talented hackers. Trust is huge, especially when the talent you're looking at might have a criminal record, but it's part of the hiring dance and sometimes a bigger deal breaker than salary.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.